CVE-2026-26331 — OS Command Injection in Project Yt-dlp

CWE-78 — OS Command Injection7 documents6 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 59.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Yt-dlp Yt-dlp Project Yt-dlp Debian Yt-dlp

Timeline

PublishedFeb 24

Description

yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even thoug…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶PyPIyt-dlp/yt-dlp2023.06.21 — 2026.02.21

▶debiandebian/yt-dlp< yt-dlp 2026.02.21-1 (forky)

▶NVDyt-dlp_project/yt-dlp2023.06.21 — 2026.02.21

▶Debianyt-dlp/yt-dlp< 2026.02.21-1

▶CVEListV5yt-dlp/yt-dlp>= 2023.06.21, < 2026.02.21

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-26331: yt-dlp is a command-line audio/video downloader↗2026-02-24

▶

GHSA

yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option↗2026-02-23

▶

OSV

yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option↗2026-02-23

▶

📋Vendor Advisories

Red Hat

yt-dlp: yt-dlp: Arbitrary command injection via maliciously crafted URL when --netrc-cmd is used↗2026-02-24

▶

Debian

CVE-2026-26331: yt-dlp - yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-26331 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶